Ransomware is a favorite way for unscrupulous people to make money, so you need to ensure your organization won't end up paying a ransom. Having a ransomware recovery plan is crucial to surviving an attack. Every device on your network should be patched and running an up-to-date antimalware product. Invest in training both IT staff and line-of-business staff so they are aware of how ransomware can get into the network, what signs to look for and how they should respond.
Unfortunately, we know from the WannaCry virus that these protections alone are not enough, so planning a recovery strategy is crucial. Backups are your best method of recovery; they should be trusted and include all the files needed to recover compromised data.
How often do you back up?
If you need to restore from the last backup, all the work between the time of the backup and the ransomware infection will be lost. The recovery point objective (RPO) is the acceptable period of data loss the business has agreed to, and it's an important part of a ransomware strategy. Different applications often have different RPO requirements.
When testing your ransomware recovery plan, ensure backups run frequently enough that any potential data loss is acceptable. Many products can back up near continuously, provided you have space to store the data.
How long does a restore take?
Restore time is at the center of the business impact of a ransomware infection. The recovery time objective (RTO) is the time from an event that stops work until work can resume. Like RPO, there will probably be different RTOs for different applications. The bottom line is that the longer the recovery time, the higher the cost to the business for the infection. If the restore cannot start until backup tapes are retrieved from off-site storage, an outage could last hours or days.
On the other hand, if your infrastructure allows for immediate rollback, you may be able to recover data very quickly. Bear in mind that PCs infected with ransomware need to be removed from your network before any recovery can start. Otherwise, the ransomware will re-encrypt the restored files.
You can help to reduce recovery times by educating users about ransomware, particularly how to recognize an infection and how to respond to the situation. The first response may simply be to shut down the PC and phone the help desk.
Can you trust your backups?
The only way to trust your backup strategy is to test your data restoration process. Users accidentally deleting their files usually provide IT staff with a natural reason to restore individual files. If users are not requesting restores, then scheduling weekly or monthly restoration tests as part of your ransomware recovery plan can help verify that file restoration is possible.
Some ransomware infections are caused by a single, vulnerable computer and an unlucky or careless user. Just a few critical files are affected and the issue is detected quickly. More often, the ransomware infection rips through the whole network, and thousands of files are encrypted before the infection can be stopped. To recover from massive file encryption, you will need to do whole server restores and often multiple servers at the same time. Fast recovery is often entirely dependent on throughput; on-site disk systems or modern tape systems offer fast streaming restores.
Some storage systems allow virtual machines to be started directly from the backup store without any data copies. Any strictly off-site backup will have challenges. For off-site tapes or disks, you will need to wait for physical media to get back to your site. Restoration speeds for cloud-based backups are limited by your internet connection speed. I am a big fan of on-site backup stores for restores to production, coupled with cloud-based stores for long-term retention.
Are your files safe?
A significant ransomware trend is to encrypt backup files. Ransomware creators know that anyone who can restore from a backup will not pay the ransom, so they quickly target these files for deletion or encryption. So where do you store your backups? If they are on a file share, then they are vulnerable to ransomware. If the files are on a server, they are vulnerable to ransomware. Some careful security practices will help minimize the risk to your backup files and maximize your chance of recovery.
When crafting your ransomware recovery plan, you should have a backup service account that no one uses to log into a desktop and won't be used for any other purpose. Next, ensure that account is the only one with write access to the backup files. No other account should be able to encrypt or delete these files.
The key to recovering from a ransomware infection is to have secure backups that you know can be restored from promptly. Testing your ransomware recovery plan and educating users will go a long way in ensuring you never need to pay that ransom.